in reply to Special Chars in CGI form variables

Why don't you simply print "$field" inside the file? I guess there's a prefix slash in this variable, which makes ".//something" perfectly valid (duplicated slashes are tolerated) while "./blah-/something" whould fail miserably (unless you've a "blah-" subdirectory, of course).

As a general note you should avoid doing things like this, even if you're dealing with an hidden field - these are no more secure than visible ones. Use tainted mode, and place strict restrictions upon filenames you allow, like: 

   $field =~ s/[^\w.-]//g; # keep alpha, num, and "_.-"
   if ($field =~ /([\w.-]+)/) {
      $field = $1;
   }
   else {
      $field = undef;
   }
   # now $field is untainted

[download]
Another advice: use the three-argument open instead of appending filename to the ">" char.

All that said, take a deep look at perldoc perlsec!

Flavio (perl -e "print(scalar(reverse('ti.xittelop@oivalf')))")

Don't fool yourself.

Replies are listed 'Best First'.
Re^2: Special Chars in CGI form variables
by rsiedl (Friar) on Apr 20, 2005 at 13:31 UTC
    I've tried "print", "warn", you name it, but it still shows up nothing.

    The filename is extremely simple "smith_rj.txt" and i was only using the form field, cause it was not to be used by users - so no security issues...
[reply]
      Just because a form variable is "hidden" doesn't mean someone can't edit it. This is a very common misconception regarding CGI programming.
[reply]
      Did you print also after the "blah-" prefix addition? Did you try to print something like "($field)" (note parens)? As a last resort, try to print: 
      print join "\n", map { 
   "0x" . unpack("h2", ord($_)) 
} split //, $field;
print $/;

      [download]
      which will give you the hex dump of the string.

      Flavio (perl -e "print(scalar(reverse('ti.xittelop@oivalf')))")

      Don't fool yourself.
[reply]
[d/l]

In Section Seekers of Perl Wisdom